Internet security

ABSTRACT

In a communications system in which an incoming email is received at an email server within a secure domain, the incoming email is copied to a secondary server outside that secure domain. The copy email message can then be retrieved from the secondary server from a remote device outside the secure domain.

Email and email messages are terms which are used broadly to describedigital messages which are transmitted over Internet protocol networksor generated using data residing in personal information managementapplications such as calendar, contact or task list applications. Suchdigital files may include text, voice or images or any combination ofthese.

Email messages are delivered to an email server and can be retrieved bymeans of a personal computer (‘PC’) which is a client of the server. Ifthe PC leaves a copy of an email message on the server, then otherclients can retrieve the email message. This can be useful where, forexample, a subscriber wishes to be able to retrieve email messages fromboth home and office.

However, there is a security risk arising from this free access betweencomputers, especially over an area as wide as the Internet.

Many corporate computer systems are protected from remote access bymeans of a corporate firewall. Corporations tend to keep both client PCsand email servers inside firewalls on relatively secure local areanetworks. These ‘islands’ of security are called secure domains. Whilstthis level of security is useful, it does tend to prevent the accessingof email by remote clients, including for example a subscriber's homePC. Although some corporate information technology departments doprovide methods for secure remote access to email messages, thesemethods tend to rely on accessing email messages from a predeterminedremote site.

It is still, in general, difficult to arrange remote access to emailmessages within a secure corporate domain, particularly where access isto be obtained from a range of non-secure locations or PCs. Informationstored in multiple locations in a long-term manner also presents targetswhich can be attacked multiple times at its weakest or least controlledpoints.

The invention provides a system and software intended to assist inremote accessing of email messages held within a secure domain.

The invention may, furthermore, make email messages when there is anindication that the end-user can retrieve the e-mail. There exists aprotocol specification called Session Initialisation Protocol (‘SIP’)which has been defined for UMTS third generation telecommunicationnetworks which supports a concept called ‘Presence’ by which anend-user's availability to communicate is indicated. SIP is going to bethe standard signalling protocol/mechanism to support Voice Over IP(‘VOIP’) for third generation networks.

There are available multiple ways to show Presence, that is, that a useris present. However, a preferred system in accordance with the inventionuses the SIP presence concept to implement Presence. An end-user'sPresence may have associated with it parameters such as time, locationand the type of interface available to the end user. The Presenceparameters may also include local addressing information for the userinterface device in use, such as, for example, a Bluetooth deviceaddress. Presence is envisaged to be provided by a Presence serverwhich, typically, resides outside the corporate firewall. If anend-user's Presence is true, then the end user is said to be Present.

In accordance with the invention, there is provided a communicationsystem in which an incoming email received at an email server within asecure domain is copied to a secondary server outside that secure domainif the end user is Present, so that the copy email‘message can beretrieved therefrom from a remote device outside the secure domain.

Preferably, an end-user's email is only copied to the secondary serverwhen the end-user is Present. A screensaver application at the remotedevice or at the PC client can be used as input to the Presence serverso that the screensaver status forms part of the Presence parameters.

A record of the copied email may be kept at the PC client so thatchanges in the end-user's Presence can be used as basis for sending arequest for deletion of the email at the secondary server.

Preferably, the copy email message is encrypted using the public key ofa public/private key pair and the remote device contains the private keythereof to enable to retrieved message to be decrypted.

In a further embodiment, the system provides means for copying a part ofthe incoming email message and sending it to the secondary email serverso that the copied part of the message acts as a prompt to alert theuser of the remote device that the full message is awaiting retrieval.

Alternatively, the email server may generate a prompt message and sendit to the secondary server so that the prompt-message serves to alertthe user of the remote device that the full message is awaitingretrieval.

An embodiment of the system of the invention will now be described indetail, by way of example, with reference to the drawing, which is aschematic diagram illustrating the architecture of a system inaccordance with the invention.

Software provided in accordance with the invention analyses incomingemail messages arriving at a secure domain and forwards a copy of anyincoming email message to a secondary email server which is outside thesecure domain. The secondary server stores the email: message and cansend a copy of it through wired and/or wireless networks to the remoteaccess client device. The remote access client device may also accessthe secondary server in order to retrieve email messages.

As can be seen in FIG. 1, an incoming email message is received at a‘corporate’ email server 12 which is located within a secure domain 10within which are to be found not only the server 12 but also, perhaps, alocal area network (‘LAN’) and the client PC, that is the subscribersoffice/work PC 14. The secure domain 10 is protected againstunauthorised access by means of firewall software shown at 16.

The LAN and PC client 14 may run on any suitable software for Internetapplications, for example, Microsoft Outlook or Lotus Notes.

The software of the invention, which is installed at the client PC iscopied and sent to a remote secondary server 20 located outside thesecure domain 10. Separate email sending software (for example, an smtpclient) may be installed at the email server 10 so that normal operationof the email client is not affected.

As mentioned above, in a preferred system in accordance with theinvention, an end-user's email may only be copied to the secondaryserver when the end-user is Present. The system uses the SIP presenceconcept to implement Presence using a Presence server (21) which,typically, resides outside the corporate firewall 16.

The software of the invention is provided with the public key or acertificate containing the public key of a public/private key encryptionsystem of the subscriber to whom the email copy will ultimately be sentand the copy of the email message sent to the secondary server 20 isencrypted using the public key in question.

The secondary email server 20 can forward the email to the remote clientand/or home PC client or alternatively can allow a remote client or homePC client to retrieve the email message. The secondary server 20 canencrypt messages for multiple next email clients each of which will bethe only device which is able to decrypt the message intended for it. Ifthe email message is encrypted specifically for the first client device,then that client device may automatically decrypt the message with itsown private key and then forward it to the next email client.

One problem which arises in systems of this kind is to ensure that;incoming email messages are securely and promptly made available to aremote client device which is only available intermittently. Some remotedevices, such as mobile phones may, further, have only limitedcapability to receive/store and/or display information. Security is, ofcourse, a particular problem where email messages are encrypted.

As mentioned above, the email message is encrypted using the public keyas mentioned above A part of the email copy and/or a message such as thesender's telephone number is encrypted using the same public key so asto reduce the message size and overcome the potential limitations posedby devices with low storage capacity (mobile phones). The message isintended to be sent to which ever remote device is most available to thesubscriber or end user (the ‘prompt device’).

The resulting encrypted prompt message is sent to the secondary server20 by the separate email sending software at the email server 12. Theprompt message is delivered to the prompt device as soon as possible. Itcan only be decrypted using the private key in the prompt device. Theprompt message gives the end user information about the arrival of theemail message and/or information about the email message (such as thesender's name) and/or information about how to access the email message(such as a password).

In a preferred embodiment, the choice of public/private key pair used isrelated to Presence parameters and the remote device contains a privatekey related to the end user's Presence to enable the message to bedecrypted.

The Presence parameters may also be used to determine which part orparts of the email message should be copied and sent to the secondaryserver.

The system permits multiple prompt devices with the same or multiplepublic/private key pairs.

Using a remote email client device, such as a laptop PC, the end usercan retrieve the email message copy from the secondary server 20 whichcan then be decrypted using the private key in that device.

By modifying the key used to encrypt the data, it is possible to utilisethe system of the invention to provide data under special conditions sothat the system can meet a number of other needs as well.

In some circumstances it may be desirable to provide informationsecurely so that it can be accessed only at a given location or toprovide information which is location dependent. For example,information about events at a sports arena might be made available onlyto remote devices in the immediate surroundings of the arena

The system of the invention can be adapted to meet this need.

Information is encrypted using an encryption key which is locationinformation. For example, a cellular (mobile) phone operates within a‘cell’around a base station(s). The identity an/or communicationcharacteristics of the base station(s) can be used to form a data stringwhich functions as a decrypting key.

The server which transmits information to the remote device may know theresulting decrypting key or the device may, as a preliminary step,retrieve location-related information and send the location informationto the server. If the device retrieves the location information, thenthe device may perform calculations based on the retrieved locationinformation and send the results of the calculations to the server. Thedevice can send the results only to the server.

The device may encrypt the location information before sending the data.

Information describing the person using the remote device, the timeand/or the characteristics of the device itself may be merged with thelocation-related information to define more clearly the end user'scharacteristics. Again this information, representing the end-usercharacteristics, is used to define the encryption key used by the serverwhich sends information to the remote device.

The end user might also put in temporary information, such as a pinnumber, to render the device available temporarily for the informationservice provided to that location.

Where the remote device is a wireless device, the remote device'sposition needs to be calculated without changing anything in thewireless network. Although a wireless device such as mobile phone haslimited memory, the phone is aware of some data relating to its positionin today's networks. This data is the timing advance for the basestation to which it is connected at the time the measurement isconducted, and also both signal strengths and base station cell identityfor all cells in the area (including but not limited to the one to whichthe cellphone is connected at the time in question).

The data can be made available to an application which resides in thephone. The application can poll for the data intermittently, or the datacan be automatically streamed to the application.

The application can then act on the basis of the location dependent datathat it has received.

The application may forward the measurement data to a server thatresides in the network. This allows the server in the network to use adatabase with information about base station locations to calculate theposition of the wireless device. The server would thus contain bothdatabase and location calculation software, and off-load the wirelessdevice to allow the wireless device to be small and cheap tomanufacture.

The server application may request the location data, or the applicationon the phone may automatically forward the data to the server.

The server may sign the location data request using e.g. RSA digitalsignature algorithms, and the phone then verifies the signature prior toacting on the request, using e.g. the public key of the server. Thiswould prevent unauthorised access to a phone's location.

The phone application may encrypt the location information so that onlythe intended recipient is able to decrypt it. The phone application mayalso sign the location information, either automatically or with userPIN input, to verify that this phone and/or user are indeed at thislocation. The above could subsequently be time stamped to verify thetime at which the phone and/or user were at the location in question.

All of the above could be done with servers and phones that are not partof the existing wireless networks with no other impact than a slightincrease in “traffic-as-usual” In the system of the invention, it isalso possible to adapt the encryption key in such a way that services orinformation may be made available only to end users who possess a givencombination of two devices, for example, a SIM and a phone.

This can be implemented without added security mechanisms by providingan application which resides in the first device, for example, the phonewhich can read data from the second device (the SIM). Alternatively, thesecond device (the SIM) may provide data to the first device which canbe read by the application found in the first device. The application issuch that it is only executable in a complete manner if the applicationhas successfully read the data from the second device.

In order to give the user a positive experience even in cases where thetwo devices have not been correctly combined, the application residingin the first device may be such that it can execute along an alternativepath providing a subset rather than the complete user experience, withindicators to cover the areas not made available. The user may, if theindicators are friendly enough, remain unaware that they have notreceived the full information or experience.

Where additional security is required, information is encrypted with anencryption key which is calculated with information which is fixed andrelated to both devices, that is, in the example given, the phone andthe SIM.

For example, a customer may be able to access interactive services usinga mobile phone with a given SIM. All information sent by the server tothe device, mobile phone or SIM, is encrypted with the specialencryption key referred to above. The information can only be decryptedwhen the subscriber has information to hand about both devices so as tocalculate a decryption key.

Where it is desired by an email client in a fixed location to deliverinformation to a mobile end user in a non-obtrusive manner, the emailclient can automatically send a status request to a device carried bythe end user or to a proxy server that represents the end user. Theclient device or proxy server responds with status information such aslocation or local time settings. The email client can then have pre-setrules that define how and where to deliver the information.

Some devices have multiple user interfaces. For example, the Nokia 9210has a small front screen and large internal screen. It may be necessary,therefore, to make information available only to chosen user interfaces.

This can be achieved by using the XML and/or XHTML style sheets thatrelate to each user interface as the decrypting keys.

It would also be useful if people who have not used a PC for a while bealerted that something has happened on the PC. This could be achieved byusing the screensaver feature on a PC to trigger the activation of emailmonitoring software. The email monitoring software can then forwardincoming email or other events (such as calendar events) to the user'smobile phone by SMS.

Preferably, the email monitoring software can be made in such a way thatlocking the PC has no effect on the activities of the email monitoringsoftware. Thus, even where a PC has been locked, a person who lockedtheir PC after requesting alerts can still be alerted.

It may also be desirable to alert a person who is away from their PC tothe presence of an incoming email message while keeping the PC securefrom undesired access. Where this is necessary, the LOCK PC feature on aPC can be used to trigger the activation of email monitoring; softwarewhich can then forward incoming email or other events (such as calendarevents) to the users mobile phone by SMS.

1. A communication system in which an incoming email received at an email server within a secure domain is copied to a secondary server outside that secure domain if the end user is Present so that the copy email message can be retrieved therefrom from a remote device outside the secure domain.
 2. A system according to claim 1 in which the email copy sent to the secondary server contains parameters which allow an application at the secondary server to use changes in the end-user's Presence parameters to activate email availability limitations or to delete the email.
 3. A system according to claim 1 in which the copy email message is encrypted using the public key of a public/private key pair and the remote device contains the private key thereof to enable to retrieved message to be decrypted.
 4. A system according to claim 3 in which the choice of public/private key pair used is related to Presence parameters and the remote device contains a private key related to the end user's Presence to enable the message to be decrypted.
 5. A system according to claim 1 including means for copying a part of the incoming email message and sending it to the secondary email server so that the copied part of the message acts as a prompt to alert the user of the remote device that the full message is awaiting retrieval.
 6. A system according to claim 5 including means for using the Presence parameters to determine which part or parts of the email message should be copied and sent to the secondary server.
 7. A system according to claim 1 in which a record of the copied email is kept at a PC client associated with the email server so that changes in the end-user's Presence can be used as basis for sending a request for deletion of the email at the secondary server.
 8. A system according to claim 1 in which a screensaver application at the remote device or at the PC client is used as input to the Presence server so that the screensaver status forms part of the Presence parameters.
 9. A system according to claim 2 in which a key used to encrypt the message or a part of the message is created dynamically using the Presence parameters of the remote device for which it is intended so that the email message or part thereof can only be decrypted by a remote device having the same Presence parameters.
 10. A system according to claim 1 in which an email message can be decrypted or retrieved by a remote access device only when the Presence parameters of the remote device have been associated with the Presence parameters of at least one other device; a key used to encrypt the data being dependent on the Presence parameters of both the remote device and the said at least one other device.
 11. A system according to claim 9 in which the decryption of the email message at the remote device is used to activate a notification application which notifies other devices or servers about the Presence parameters of the decrypting remote device at the time of decryption.
 12. A system according to claim 1 in which an email message can be retrieved only by a remote access device when it is associated with a second device; the key used to encrypt the data being dependent on information from or relating to both devices.
 13. A system according to claim 1 in which the key used for decryption of the email message carries information relating to interfaces available at the remote access device and only permits decryption of messages intended only for a predetermined interface or interfaces.
 14. A communication system in which an incoming email received at an email server within a secure domain is copied to a secondary server outside that secure domain so that the copy email message can be retrieved therefrom from a remote device outside the secure domain.
 15. Computer software recorded in machine readable form for implementing the system of claim
 1. 